The Float menu WordPress plugin prior to 6.0.1 does not have CSRF check in its bulk actions, which could allow malicious users to make logged in admin delete arbitrary menu via a CSRF attack.
Vulmon